Brother ADS-1100W FTP-Scanning setup

This document scanner can send documents directly to an FTP-Server. Install vsftp via aptitude install vsftpd and set /etc/vsftpd.conf as following:

listen=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
write_enable=YES
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_root=/data/ftp

This enables anonymous uploading for everyone! Create /data/ftp/incoming and chown it to ftp.ftp. Add the following section in /etc/samba/smb.conf to enable easy access to Windows clients:

[scans]
   comment = Scans
   path = /data/ftp/incoming
   force user = ftp
   force group = ftp
   read only = No

Server Setup with Debian 10 (Buster)

Note: Basic networking is done via a Fritzbox, which provides IP-Address assignment and routing.

Run Debian setup with following choices:

  • Graphical Install
  • Language Settings
  • User with sudo to root
  • Guided crypted partioning with separated /home , /var & /tmp
  • Software selection: Basic system tools & SSH server

After the first reboot adapt sources.lst to include contrib and non-free repositories and install firmware for the usually built-in Realtek network chip:

sudo aptitude install firmware-realtek

Dynamic DNS is required to make the server available to the outside under a memorable name:

 @hourly wget -O - http://freedns.afraid.org/dynamic/update.php?<id> >/dev/null 2>&1 

Setup services:

Additional things to do

Prevent console clearing after boot up

Add/edit /etc/systemd/system/getty@.service.d/noclear.conf

[Service]
 TTYVTDisallocate=no

Run systemctl daemon-reload to let the changes becoming active.

Backup with rsnapshot

Backup concept

A backup server which can be woken via wake-on-lan will pull data from live servers via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.

Key generation and automated login

First create an SSH key which will authorize the backup server against the live servers: On the backup server run ssh-keygen -b 4096 -f backup_auth. The generated file backup_auth.pub has to be appended to /root/.ssh/authorized_keys to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients /etc/ssh/sshd_config sets PermitRootLogin without-password so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.

Rsnapshot

Run aptitude install rsnapshot and modify /etc/rsnapshot.conf to at least (see comments in config file for explanations):

snapshot_root <path>
no_create_root 1
cmd_ssh /usr/bin/ssh
retain ...
ssh_args -i /root/.ssh/backup_auth

# live server directories
backup root@server.local:/etc/ ./
backup root@server.local:/home/ ./
[...]

Limiting rights of automated login

Extract (Debian 8/9) or copy (Debian 10) rrsync (restricted rsync) from /usr/share/doc/rsync/scripts to /usr/local/bin/rrsync and make it executable. The backup auth key can now be restricted in /root/.ssh/authorized_keys. Prepend the entry with command="/usr/local/bin/rrsync -ro /" which limits access with this key to just this command. Additionally limiting measures can be implemented by adding further restrictions after command:

command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...

Additionally change PermitRootLogin in /etc/ssh/sshd_config to forced-commands-only.

Automation

Waking the backup server

wakeonlan [...]

Creating backups

ssh -i <keyfile> rsnapshot [...]

Keyfile should authenticate the live server against the backup server.

Shutting the backup server down

ssh -i <keyfile> /sbin/ethtool -s eth0 wol g
ssh -i <keyfile> /sbin/shutdown -h -t 1

Smartmontools + hdparm

Installation

aptitude install hdparm smartmontools

Configuration

Since Debian 9, hdparm is not run during system startup anymore. Thus, a custom systemd service has to be created in /etc/systemd/system/rc-local.service:

[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target"

Create a dummy /etc/rc.local:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0

Make it runnable and enable the systemd service:

chmod +x /etc/rc.local
systemctl enable rc-local
systemctl status rc-local.service

To check health status of all disks change the DEVICESCAN line in /etc/smartd.conf to the following based on an articel in c’t 17/2011, p178:

DEVICESCAN -a -n standby -m root -M test -o on -S on -s (S/../.././0|L/../../6/0)

Description of used options:

-a: equivalent to -H, -f, -t, -l selftest, -l error, -C 197, -U 198
-n: nocheck when in given powermode
-m: send warning email to ADD
-M: email-behaviour
-o: automatic offline tests
-S: attribute autosave
-s: start self-test when type/date matches regex

Letting smartd checking on the drives every 12h is sufficient for private use, so change /etc/default/smartmontools to:

start_smartd=yes
smartd_opts="--interval=43200"

Lighttpd

Installation

aptitude install lighttpd

Configuration

Adapt /var/www/html/index.html and add a favicon.ico there as well.

SSL

Adapt certificate paths in /etc/lighttpd/conf-available/10-ssl.conf and add the server name:

# /usr/share/doc/lighttpd/ssl.txt

# check against https://www.ssllabs.com/ssltest/ for issues

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/domain.example/cert+privkey.pem"
        ssl.ca-file = "/etc/letsencrypt/live/domain.example/fullchain.pem"
        server.name = "domain.example"

        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
}

Enable SSL with lighty-enable-mod ssl and restart the service.

Additionally redirect by default to https by creating /etc/lighttpd/conf-available/10-http-https-redirect.conf:

$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

Activate the redirection by running lighty-enable-mod http-https-redirect and reloading lighttpd.

Webmail: roundcube + sqlite3 + lighttpd

Installation

A small footprint solution for webmail is using roundcube in conjunction with sqlite3 and lighttpd. The order of installing PHP packaches is important as otherwise we end up with Apache dependencies.

apt-get install lighttpd php-cgi php

Debian 9: Because of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898040 installing roundcube needs some help to work correctly. Install roundcube while also getting low priority questions. Choose default answers where applicable but don’t select any https serverto be configured.

DEBIAN_PRIORITY=low apt-get install dbconfig-sqlite3 roundcube-core roundcube-sqlite3

Manually enable roundcube in lighttpd with

ln -s /etc/roundcube/lighttpd.conf /etc/lighttpd/conf-available/50-roundcube.conf
lighty-enable-mod roundcube fastcgi fastcgi-php

Debian 10: The bugfix was included for this release so we can install easily via aptitude install dbconfig-sqlite3 roundcube-sqlite3 roundcube.

Configuration

Session timeout can be configured in /etc/roundcube/defaults.inc.php via

// Session lifetime in minutes
$config['session_lifetime'] = 360;

Default host can be configured in /etc/roundcube/config.inc.php:

$config['default_host'] = array("localhost");

Debian 10: Set smtp_user and smtp_pass to empty strings, this was the default setting previously but OpenSMPTD does not authenticate on the loopback device!

$config['smtp_user'] = '';
$config['smtp_pass'] = '';

Setting attachment sizes in /etc/php/7.*/cgi/php.ini

upload_max_filesize = 20M
post_max_size = 30M

Roundcube user settings are stored in /var/lib/dbconfig-common/sqlite3/roundcube (see /etc/dbconfig-common/roundcube.conf)

Surveillance cameras

Surveillance cameras can be captured using ffmpeg wrapped in a script:

#!/bin/bash

set -e

if [ -z "$1" ]; then
  echo "Usage: $0 duration stream acodec destdir prefix"
  exit -1
fi

ffmpeg -t $1 -i $2 -acodec $3 -vcodec copy -y $4/${5}_$(date +\%F-\%T | sed 's/:/_/g' ).mp4

Calling it from cron every hour which will generate timestamped files in /data/cctv prefixed with cam1 and a duration of little more than an hour:

5 * * * * cctv_record.sh 3900 rtsp://camera.example.domain/live.sdp mp2 /data/cctv cam1

Additionally disk space needs to be monitored and old recordings removed as required.

Time lapse videos can be created by getting an image regularly and saving it with timestamp info. The actual video can be done via ffmpeg.

Samba

Installation

aptitude install samba

Configuration

Changes in default smb.conf:

  • [global]
    • interfaces = 127.0.0.0/8 192.168.33.32/27
    • bind interfaces only = yes
  • [homes]
    • read only = no
    • create mask = 0600
  • remove [printers] & [print$] sections (printers will be handled via cups)

Add own sections as needed:

[section_name]
   comment = Section description
   path = /what/to/share
   read only = Yes/No

Example for public read only share for e.g. to be used by OpenELEC:

[public_read_only]
   comment = Section description
   path = /what/to/share
   read only = Yes
   guest ok = Yes

User management

smbpasswd -a username # will ask for SMB password
smbpasswd -e username # enables this user

VDR

Installation

The aim is to setup a headless VDR backend which:

  • provides content via VNSI to an OpenElec client
  • provides a web interface for live viewing and programming
  • provides EPG searching
aptitude install vdr vdr-plugin-vnsiserver vdr-plugin-live vdr-plugin-streamdev-server vdr-plugin-epgsearch

Configuration

Main configuration is located in /etc/vdr/conf.d/00-vdr.conf. Add -l 2 to reduce log spamming and specify --video= to the actual recordings location. Remove --lirc to avoid log spamming. Add --filesize=100G to split recordings into 100GB chunks.

Streaming has to be allowed for the local network in /etc/vdr/plugins/streamdevhosts.conf by adding the local subnet, e.g. 192.168.33.32/27.

The web frontend listens by default on all interfaces, this can be changed in /etc/vdr/conf.d/50-live.conf by using multiple --ip lines so that it only listens internally:

--ip=192.168.33.33
--ip=127.0.0.1

The VNSI plugin provides a default config for allowed hosts which has to be adapted in /etc/vdr/plugins/vnsiserver/allowed_hosts.conf.

Backup

Following files are relevant for backing up timers and channels:

/var/lib/vdr/channels.conf
/var/lib/vdr/timers.conf
/var/lib/vdr/plugins/epgsearch/epgsearch.conf
/var/lib/vdr/plugins/epgsearch/epgsearchdone.data
/var/lib/vdr/plugins/epgsearch/timersdone.conf

OpenSMTPD with sender dependent smart hosts

Installation

aptitude install opensmtpd

Configuration

The main config resides in /etc/smtpd.conf. In this case it enables authenticated users to relay to several smart hosts depending on the sender of the email. Thus, users can send from with their non-local adresses and OpenSMTPD knows where to forward it:

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# Certificates for SSL and TLS
pki domain.example certificate "/etc/letsencrypt/live/domain.example/cert.pem"
pki domain.example key "/etc/letsencrypt/live/domain.example/privkey.pem"

# Accept local mail
listen on localhost
listen on 192.168.33.33

# Accept external mail when authenticated over a secure channel, authenticated user are considered local!
listen on 192.168.33.33 smtps pki domain.example auth

# SSL
listen on 192.168.2.254 smtps pki domain.example auth

# TLS
#listen on 192.168.2.254 port 465 tls pki domain.example auth

# If you edit the file, you have to run "smtpctl update table aliases"
table aliases file:/etc/aliases

# Forward mail for local accounts to their inbox
accept for local alias  deliver to mda "/usr/lib/dovecot/dovecot-lda -k"
accept from source 192.168.33.33/27 for local alias  deliver to mda "/usr/lib/dovecot/dovecot-lda -k"

# Table for smtp-auth credentials, has to be created with "makemap /etc/smtpd_auth"
table smtp_auth_db db:/etc/smtpd_auth.db

# Accept mail from known mail accounts and forward them to their respective smarthosts using smtp-auth
accept from local sender some_user@mailprovider.example for any relay via tls+auth://some_user_mailprovider@mailprovider.example auth


accept for any relay

Authorization data is located in /etc/smtpd_auth:

some_user_mailprovider username:password

After changing it the database has to be updated via makemap /etc/smtpd_auth. Authorization databases need to be readable by the user opensmtpd and should be protected from other users:

chmod 600 /etc/smtpd.conf /etc/smtpd_auth*
chown root.root /etc/smtpd.conf /etc/smtpd_auth
chown opensmtpd.opensmtpd /etc/smtpd_auth.db

/etc/aliases had to be updated to redirect root mails to an actual user.